CWE-89

High likelihood

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Parent: CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

19,406 vulnerabilities with CWE-89
CVE-2026-7815 HIGH
pgAdmin 4: SQL injection in Maintenance tool option values leading to remote code execution
CVSS 8.8
CVE-2026-6093 MEDIUM
Corteza 2024.9.8 - SQL Injection in MSSQL JSON-path meta filter via incorrect T-SQL string escaping
CVE-2026-8231 MEDIUM
CodeAstro Online Catering Ordering System deleteorder.php sql injection
CVSS 6.3
CVE-2026-8207 HIGH
Gibbon < 30.0.01 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-42287 CRITICAL
Emlog: SQL Injection Vulnerability in log_model.php within addLog() and updateLog() Functions
CVE-2026-41889 CRITICAL
pgx: SQL Injection via placeholder confusion with dollar quoted string literals
CVSS 9.8
CVE-2026-37431 CRITICAL
Beauty Parlour Management System 1.1 - SQL Injection
CVSS 9.8
CVE-2026-44337 MEDIUM
PraisonAI knowledge-store backends interpolate unvalidated collection names into SQL and CQL queries
CVSS 6.3
CVE-2026-41496 HIGH
PraisonAI < 4.6.9 Conversation Store Backends - SQL Injection
CVSS 8.1
CVE-2026-4935 HIGH
OttoKit WordPress Plugin < 1.1.23 - Unauthenticated SQL Injection
CVSS 8.6
CVE-2026-8133 HIGH
zyx0814 FilePress Shares Filelist API admin.php sql injection
CVSS 7.3
CVE-2026-8132 HIGH
CodeAstro Leave Management System login.php sql injection
CVSS 7.3
CVE-2026-8131 HIGH
SourceCodester SUP Online Shopping replymsg.php sql injection
CVSS 7.3
CVE-2026-8130 HIGH
SourceCodester SUP Online Shopping message.php sql injection
CVSS 7.3
CVE-2026-8129 HIGH
SourceCodester SUP Online Shopping wishlist.php sql injection
CVSS 7.3
CVE-2026-42208 CRITICAL KEV
LiteLLM: SQL injection in Proxy API key verification
CVSS 9.8
CVE-2026-8128 HIGH
SourceCodester SUP Online Shopping viewmsg.php sql injection
CVSS 7.3
CVE-2026-8126 HIGH
SourceCodester Comment System post_comment.php sql injection
CVSS 7.3
CVE-2026-8125 MEDIUM
code-projects Simple Chat System sendMessage.php sql injection
CVSS 6.3
CVE-2026-8114 MEDIUM
JeecgBoot JSON Object loadTreeData sql injection
CVSS 6.3
CVE-2026-8098 HIGH
code-projects Feedback System checklogin.php sql injection
CVSS 7.3
CVE-2026-8097 MEDIUM
CodeAstro Online Classroom askquery.php sql injection
CVSS 6.3
CVE-2026-8083 HIGH
SourceCodester Pharmacy Sales and Inventory System ajax.php save_user sql injection
CVSS 7.3
CVE-2026-44349 HIGH
Daptin fuzzy search injects unvalidated column name into raw SQL
CVE-2026-41422 HIGH
Daptin vulnerable to SQL injection via unvalidated goqu.L() calls in aggregate API
CVSS 8.3
Details
Vulnerabilities 19,406
Exploit Likelihood High
Links
MITRE CWE Entry Search this CWE With Exploits